Arrière-plan
OS: Ubuntu 16.04 x64 s'exécutant sur VirtualBox
Je suis un développeur avec un minimum de connaissances en Ubuntu/Linux et j'ai été affecté à un projet dont le but est d'utiliser tcpcrypt lors de la communication avec certains ordinateurs d'extrémité.
tcpcrypt est livré avec un script shell qui définit les entrées requises dans iptables pour acheminer les paquets vers tcpcrypt afin d’encrer/déchiffrer. Après l'exécution de ce script, iptables ressemble à ceci:
filtre
Chain INPUT (policy ACCEPT 4 packets, 552 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lo any anywhere anywhere tcp dpt:65530 tos match0x22/0xff
0 0 NFQUEUE tcp -- any any !localhost anywhere tcp dpt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere anywhere multiport sports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- any any anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere anywhere tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s owner UID match tcpcryptd
REDIRECT tcp -- anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530
mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TOS all -- anywhere anywhere tos match0x04/0xff TOS and 0x00
Avec ces entrées, , chaque paquet est placé dans une file d'attente où tcpcrypt choisit pour enc/dec.
UPDATE
Voici le script pour iptables:
#!/bin/sh
#DAEMON_USER DIVERT_PORT ONLY_PORTS OMIT_PORTS
# determine which operation is requested (Append or Delete)
if [ "$1" = "start" -o -z "$1" ]; then
# during startup, bail early if any of these commands fails
set -e
OP="-A"
Elif [ "$1" = "stop" -o "$1" = "-f" ] ; then
OP="-D"
else
echo "Expected \"start\" or \"stop\" as first argument" >&2
exit 1
fi
# determine which ports should be tcpcrypt-enabled
if [ -z "$ONLY_PORTS" -a -z "$OMIT_PORTS" ] ; then
echo "Expected either OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2
exit 1
fi
if [ -n "$ONLY_PORTS" -a -n "$OMIT_PORTS" ] ; then
echo "Expected only one of OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2
exit 1
fi
if [ -n "$OMIT_PORTS" ] ; then
PORT_TEST=!
PORTS="$OMIT_PORTS"
fi
if [ -n "$ONLY_PORTS" ] ; then
PORT_TEST=
PORTS="$ONLY_PORTS"
fi
# more necessary configuration
if [ -z "$DAEMON_USER" ] ; then
echo "Expected DAEMON_USER environment variable to be set" >&2
exit 1
fi
if [ -z "$DIVERT_PORT" ] ; then
echo "Expected DIVERT_PORT environment variable to be set" >&2
exit 1
fi
# some shorthand to make rules more concise
from_enabled_port="-m multiport $PORT_TEST --source-ports $PORTS"
to_enabled_port="-m multiport $PORT_TEST --destination-ports $PORTS"
NFQUEUE="NFQUEUE --queue-num $DIVERT_PORT"
CRYPT_PORT="65530"
REDIRECT="REDIRECT --to-port $CRYPT_PORT"
INJECT_TOS="0x22"
HANDSHAKE_TOS="0x04"
filter="$ECHO iptables -t filter $OP"
# Injection from daemon: Accept
$filter INPUT -i lo -p tcp --dport $CRYPT_PORT \
-m tos --tos $INJECT_TOS \
-j ACCEPT
# SYN redirected to daemon:
# Queue for daemon to initiate proxy connection with original destination
$filter INPUT -p tcp --dport $CRYPT_PORT --tcp-flags ALL SYN \
-j $NFQUEUE
# SYN+ACK on proxy connection:
# Queue for daemon to complete original handshake
$filter INPUT -p tcp $from_enabled_port --tcp-flags ALL SYN,ACK \
-j $NFQUEUE
# Handshake packet of proxy connection from daemon:
# Queue for daemon to set tcp options via DIVERT_MODIFY
$filter OUTPUT -p tcp $to_enabled_port \
-m tos --tos $HANDSHAKE_TOS \
-m owner --uid-owner $DAEMON_USER \
-j $NFQUEUE
# SYN+ACK on redirected connection:
# Queue for daemon to delay handshake until proxy connection succeeds
$filter OUTPUT -p tcp --sport $CRYPT_PORT --tcp-flags ALL SYN,ACK \
-j $NFQUEUE
nat="$ECHO iptables -t nat $OP"
# Inbound connection for enabled ports:
# Redirect to daemon (at localhost:$CRYPT_PORT) for encryption
#
# (The nat module will now translate addresses in both directions,
# for the lifetime of this connection.)
$nat PREROUTING -p tcp $to_enabled_port \
-j $REDIRECT
# Proxy connection from daemon to enabled port: Accept
$nat OUTPUT -p tcp $to_enabled_port \
-m owner --uid-owner $DAEMON_USER \
-j ACCEPT
# Outbound connections to enabled ports on remote hosts:
# Redirect to daemon (at localhost port $CRYPT_PORT) for encryption
#
# (The nat module will now translate addresses in both directions,
# for the lifetime of this connection.)
$nat OUTPUT \! -o lo -p tcp $to_enabled_port \
-j $REDIRECT
mangle="$ECHO iptables -t mangle $OP"
# Packets leaving the machine with bookkeeping mark: Remove mark
$mangle POSTROUTING -m tos --tos $HANDSHAKE_TOS \
-j TOS --set-tos 0x00
Question
Comment dois-je modifier iptables
avec les entrées actuelles (voir ci-dessus) pour respecter les restrictions suivantes:
Ce que j'ai essayé
A) J'ai essayé d'ajouter l'adresse IP souhaitée à la destination TCP dans la chaîne OUTPUT
qui ressemble à:
Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- any any anywhere XXX.XXX.XXX.XXX multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere XXX.XXX.XXX.XXX tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
B) J'ai essayé d'ajouter des paramètres de source et de destination à NAT règles:
target prot opt source destination
REDIRECT tcp -- XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530
Mais tous les paquets, quelle que soit l'adresse de destination, sont envoyés à tcpcrypt.
Trouvé une solution, une solution de travail basée sur méthode B):
Pour les paquets entrants sur la chaîne nat
de la table PREROUTING
de la table, j'essayais de filtrer comme ci-dessous
$nat PREROUTING -p tcp -s XXX.XXX.XXX.XXX $to_enabled_port \
-j $REDIRECT
où -s
l'option et la valeur IP sont après -p tcp
. Puis je l'ai changé pour
$nat PREROUTING -s XXX.XXX.XXX.XXX -p tcp $to_enabled_port \
-j $REDIRECT
Avec ce changement et en modifiant la chaîne OUTPUT
de nat
en conséquence, les résultats souhaités ont été atteints.
Fait intéressant, la sortie de iptables -t nat --line-numbers -L -nv
est identique à l’une des commandes ci-dessus. Pourtant, seul le second produit des résultats en fonction de mes restrictions.
Here est la version modifiée de iptables.sh
qui permet de spécifier une ou plusieurs adresses IP pour restreindre tcpcrypt.
Voir FILTER_IP
ci-dessous.
#!/bin/sh
#DAEMON_USER DIVERT_PORT ONLY_PORTS OMIT_PORTS
# determine which operation is requested (Append or Delete)
if [ "$1" = "start" -o -z "$1" ]; then
# during startup, bail early if any of these commands fails
set -e
OP="-A"
Elif [ "$1" = "stop" -o "$1" = "-f" ] ; then
OP="-D"
else
echo "Expected \"start\" or \"stop\" as first argument" >&2
exit 1
fi
# determine which ports should be tcpcrypt-enabled
if [ -z "$ONLY_PORTS" -a -z "$OMIT_PORTS" ] ; then
echo "Expected either OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2
exit 1
fi
if [ -n "$ONLY_PORTS" -a -n "$OMIT_PORTS" ] ; then
echo "Expected only one of OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2
exit 1
fi
if [ -n "$OMIT_PORTS" ] ; then
PORT_TEST=!
PORTS="$OMIT_PORTS"
fi
if [ -n "$ONLY_PORTS" ] ; then
PORT_TEST=
PORTS="$ONLY_PORTS"
fi
# more necessary configuration
if [ -z "$DAEMON_USER" ] ; then
echo "Expected DAEMON_USER environment variable to be set" >&2
exit 1
fi
if [ -z "$DIVERT_PORT" ] ; then
echo "Expected DIVERT_PORT environment variable to be set" >&2
exit 1
fi
# some shorthand to make rules more concise
from_enabled_port="-m multiport $PORT_TEST --source-ports $PORTS"
to_enabled_port="-m multiport $PORT_TEST --destination-ports $PORTS"
NFQUEUE="NFQUEUE --queue-num $DIVERT_PORT"
CRYPT_PORT="65530"
REDIRECT="REDIRECT --to-port $CRYPT_PORT"
INJECT_TOS="0x22"
HANDSHAKE_TOS="0x04"
# You can specify multiple IPs, or a IP range accrding to required format
# For example, restricting tcpcrypt to 192.192.192.192 and 127.127.127.127
# FILTER_IP="192.192.192.192,127.127.127.127"
# See iptables manpage for more info
FILTER_IP="XXX.XXX.XXX.XXX"
filter="$ECHO iptables -t filter $OP"
# Injection from daemon: Accept
$filter INPUT -i lo -p tcp --dport $CRYPT_PORT \
-m tos --tos $INJECT_TOS \
-j ACCEPT
# SYN redirected to daemon:
# Queue for daemon to initiate proxy connection with original destination
$filter INPUT -p tcp --dport $CRYPT_PORT --tcp-flags ALL SYN \
-j $NFQUEUE
# SYN+ACK on proxy connection:
# Queue for daemon to complete original handshake
$filter INPUT -p tcp $from_enabled_port --tcp-flags ALL SYN,ACK \
-j $NFQUEUE
# Handshake packet of proxy connection from daemon:
# Queue for daemon to set tcp options via DIVERT_MODIFY
$filter OUTPUT -p tcp $to_enabled_port \
-m tos --tos $HANDSHAKE_TOS \
-m owner --uid-owner $DAEMON_USER \
-j $NFQUEUE
# SYN+ACK on redirected connection:
# Queue for daemon to delay handshake until proxy connection succeeds
$filter OUTPUT -p tcp --sport $CRYPT_PORT --tcp-flags ALL SYN,ACK \
-j $NFQUEUE
nat="$ECHO iptables -t nat $OP"
# Inbound connection for enabled ports:
# Redirect to daemon (at localhost:$CRYPT_PORT) for encryption
#
# (The nat module will now translate addresses in both directions,
# for the lifetime of this connection.)
$nat PREROUTING -s $FILTER_IP -p tcp $to_enabled_port \
-j $REDIRECT
# Proxy connection from daemon to enabled port: Accept
$nat OUTPUT -p tcp $to_enabled_port \
-m owner --uid-owner $DAEMON_USER \
-j ACCEPT
# Outbound connections to enabled ports on remote hosts:
# Redirect to daemon (at localhost port $CRYPT_PORT) for encryption
#
# (The nat module will now translate addresses in both directions,
# for the lifetime of this connection.)
$nat OUTPUT -d $FILTER_IP \! -o lo -p tcp $to_enabled_port \
-j $REDIRECT
mangle="$ECHO iptables -t mangle $OP"
# Packets leaving the machine with bookkeeping mark: Remove mark
$mangle POSTROUTING -m tos --tos $HANDSHAKE_TOS \
-j TOS --set-tos 0x00